DSHIELD has a published a writup about some of the places that JavaScript can exist
called Javascript hiding everywhere. Some of those places
include
– Quicktime
– Flash
– PDF Files
– MP3’s
"Frequent readers will know that we often recommend to ease up on allowing scripting as it’s used by the bad guys. XSS
bugs are basically so bad, not for the example <sc ript>alert()’XSS’*</sc ript> (spaces added for the overly
paranoid web content filters) you might see, but for much nastier things starting with capturing your cookies (read
credentials, session keys etc.). Keyloggers aren’t impossible either and making you unknowingly upload files from
your hard disk to malicious websites etc. is all quite possible in javascript.
And if you supposed it stops in your browser seeing javascript in HTML pages themselves, think again:"
Article Link: http://jeremiahgrossman.blogspot.com/2007/03/big-trouble-if-pci-dss-requires-csrf.html
